17.17 Org Crypt

Org Crypt encrypts the text of an entry, but not the headline, or properties. Behind the scene, it uses the Emacs EasyPG Library to encrypt and decrypt files, and EasyPG needs a correct GnuPG setup.

Any text below a headline that has a ‘crypt’ tag is automatically encrypted when the file is saved. To use a different tag, customize the org-crypt-tag-matcher setting.

Here is a suggestion for Org Crypt settings in Emacs init file:

(require 'org-crypt)
(org-crypt-use-before-save-magic)
(setq org-tags-exclude-from-inheritance '("crypt"))

(setq org-crypt-key nil)
;; GPG key to use for encryption.
;; nil means  use symmetric encryption unconditionally.
;; "" means use symmetric encryption unless heading sets CRYPTKEY property.

(setq auto-save-default nil)
;; Auto-saving does not cooperate with org-crypt.el: so you need to
;; turn it off if you plan to use org-crypt.el quite often.  Otherwise,
;; you'll get an (annoying) message each time you start Org.

;; To turn it off only locally, you can insert this:
;;
;; # -*- buffer-auto-save-file-name: nil; -*-

It’s possible to use different keys for different headings by specifying the respective key as property ‘CRYPTKEY’, e.g.:

* Totally secret :crypt:
  :PROPERTIES:
  :CRYPTKEY: 0x0123456789012345678901234567890123456789
  :END:

Note that the ‘CRYPTKEY’ property is only effective when org-crypt-key is non-nil. If org-crypt-key is nil, Org uses symmetric encryption unconditionally.

Excluding the ‘crypt’ tag from inheritance prevents already encrypted text from being encrypted again.